PAM: Your not alone.

The interplay of PAM with

Cybersecurity, IAM, and ITSM.
Go for a program: PAM, its role in your cybersecurity and IAM initiatives, and how to
leverage synergies.

MARTIN KUPPINGER
PRINCIPAL ANALYST
1 © 2020 KUPPINGERCOLE ANALYSTS AG
KUPPINGERCOLE 7/6/2020
ANALYSTS AG
 PAM: Privileged Access Management
Among the essential threats to the cyber security landscape is the
potential misuse of accounts with high or elevated authorizations on IT
systems.
Privileged Access Management helps organizations
• to identify, assess, and appropriately manage their privileged
accounts
• to protect their critical business processes and corporate and
financial assets from attacks and fraudulent access,
• to ensure compliance,
• to protect against data breaches.

▪ High privileges
▪ High risk
▪ Not in scope of IAM
▪ Lack of life cycle management
▪ Lack of request management
▪ Not associated with a person
▪ Lack of auditability

2 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 PAM Integration Areas
PAM does not stand alone – coexistence and integration with other solutions is key to success

IGA (Identity
Adaptive IT Asset
Governance & SIEM, SOC, SOAR
Authentication Management
Administration)

Cloud
ITSM (IT service Remote Access
Management (e.g. management) Solutions
SaaS offerings)

3 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 PAM and its relationship to IGA
IGA (Identity Governance and Administration) provides the capabilities
for enabling and controlling access of all users to all types of services.

Functional distinction
▪ Both IGA and PAM represent important but separate capabilities
related to Cyber Security and associated with Identity and Access
Management.
▪ IGA manages and monitors unique and trusted identities and their
static entitlements as an indispensable foundation for PAM.
▪ PAM has become one of the most relevant areas of Identity and
Access Management to identify, secure and manage privileged
credentials and their (runtime) access.

Interfaces
▪ IGA and PAM typically interact through proprietary APIs and
sometimes via standards as part of an IAM architecture.

Integration with IGA

▪ Integration with IAM and IGA and immediate access to user
account, group and access data allows to provision, recertify and
revoke elevated access to and from IT systems.
▪ Access Governance and well -defined integration with PAM allows to
reflect identity lifecycle processes for the ownership and association
of privileged accounts to personalized users.

4 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 IGA & PAM: Dream Team or Estranged Couple?
There are challenges in integrating both areas – but this is a must

Requires clear processes and policies

Requires technical interfaces and APIs

Requires strong governance and management

Requires organizational adjustments (IT <-> business)

High (process) maturity level in IAM/IAG as a prerequisite

→ beyond JML (Joiner/Mover/Leaver).
5 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020
 IGA & PAM: Dream Team or Estranged Couple?
There also are opportunities and benefits in integration – beyond risk mitigation

Breaks up Governance Silos

Enables real SoD for regular and privileged access

Substantially improves an organization's security posture

Establishes real time visibility of all accounts of a person

Detects and governs overprivileged accounts

Solves PxM issues (ownership, handover, privileged account

recertification)

6 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 Best Practices: IGA to PAM Integration done right
PAM & IGA are interfacing, which needs to be done for secure and efficient operations
APPLICATION ONBOARDING
SEGREGATION OF DUTIES
01 Onboa rding processes for a pplications must become i ntegrated
for proper management of both privileged a ccounts i n PAM a nd
05 Thi s are of specific criticality for privileged accounts and must
become well-managed and enforced, to avoid fraud and attacks.
entitlements in IGA.

ACCOUNT OWNERSHIP OVERALL INTEGRATION

02 Every s hared account needs an owner. This must be i ntegrated,
for wel l-working mover processes and re -assignment of
06 Acces s Governance and PAM a re, together wi th Access
Ma na gement, the foundation of a comprehensive concept for
ownership. mi tigating privi leged access ri sks.

User
MOVER PROCESSES
03 Mover processes must tri gger re -assignment of ownership for Management Access
s ha red accounts. Ma ndatorily.
IGA PAM Access Management

ACCESS REVIEWS
04 standard & standard &
Pri vi l eged a ccess entitlements a nd a ccess policies must become privileged
privileged privileged
pa rt of the regular review process.
Target systems & applications

7 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

PAM and its relationship to cybersecurity
Cybersecurity is the overall practice of defending systems,
infrastructures, networks and data from malicious attacks.

Functional distinction
▪ PAM provides crucial technologies for preventing security breaches
and credential thefts by provisioning, recertifying and revoking
elevated access to and from IT systems.
▪ PAM has direct relevance and impact on an organization’s
cybersecurity program. As part of an IAM architecture it is usually
considered as part of cybersecurity.

Interfaces
▪ PAM interacts with other cybersecurity services through
standardized protocols and APIs as part of IAM as a cybersecurity
architecture.
▪ PAM provides logs and user behavior analytics data to cybersecurity
peers.

Integration with cyber security

▪ PAM provides a clearly defined and delineated set of capabilities
within a cybersecurity strategy and architecture.
▪ As such, PAM provides and consumes data and intelligence from
peer cybersecurity systems.

8 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 PAM & Cybersecurity: Integration Points
Where to integrate PAM and Cybersecurity for an improved cyber risk mitigation

SIEM AND THE SOC

CLOUD SECURITY SOLUTIONS
01 The obvious and foremost integration is between PAM and
the SIEM solutions in the SOC, for providing PAM-related
05 PAM also helps in protecting admin access to cloud
security solutions, as to all other admin systems.
events to the SOC for further analysis.
ON PREMISE SECURITY SOLUTIONS
THE SOC AND PAM
However, this is not limited to the cloud, but also applies
02 There also is a logical integration back, for e.g. providing
PUBA (Privileged User Behavior Analytics) with additional
06 to every other type of security solutions. Don’t use shared
or unprotected individual accounts for security
data from the SOC.
management.
ADAPTIVE AUTHENTICATION
03 While being more an IAM capability, integration is key –
Adaptive Authentication helps protecting PAM access, and
benefits from current threat data from the SOC.

NETWORK SECURITY
04 PAM can protect the operators and administrators of
network devices – this is a typical privileged access,
frequently using shared accounts.
9 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020
 PAM & ITSM: Integration Points
Where to integrate PAM and ITSM

PAM APPLICATION ONBOARDING

01 Application onboarding to PAM and all IAM involves manual tasks, which should be performed via ITSM – well-
controlled.

PAM MANUAL FULFILLMENT

02 Aside of that, there are many other manual fulfillment tasks in PAM, such as setting up access to servers. Again:
ITSM should be used, with tickets, for control.

PRIVILEGED ITSM ACCESS

03 ITSM systems play an increasingly central role to many businesses. This is where PAM comes into play: Managing
and monitoring privileged use and admin of ITSM.

PRIVILEGED ITSM SESSIONS

04 Many sessions in ITSM access other systems, in some privileged manner, e.g. via shared accounts. SAPM and Session
Management are essential here.

10 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 PAM and its relationship to Remote Access
Remote access is the ability to access a computer or a network remotely
through a network connection. This includes clients and servers for
protocols like telnet, ssh, vnc, X11 and proprietary solutions like
Microsoft’s RDP or Citrix Gateway.
This also includes the segment for session-oriented commercial solutions
for administrative access.

Functional distinction
▪ Remote access solutions provide isolated point solutions for remote
access, usually without a sufficient security, management or
governance layer.
▪ PAM also provides mechanisms to access remote or local systems, it
adds a comprehensive set of security, management and
governance, including but by far not limited to session
management.

Interfaces
▪ Usually there are no interfaces required, as PAM provides a secure
and managed alternative for typically insecure remote access
solutions.

Integration with Remote Access

▪ None.

11 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 Take a Broader Perspective: PAM & Identity Fabric
Think holistic: PAM is part of your bigger effort towards a unified, modern IAM – and links to other areas of IT

Di gi tal Servi ce Di gi tal Servi ce Di gi tal Servi ce Di gi tal Servi ce Di gi tal Servi ce

Identity API Layer Standards Support & Custom Integrations

Agi l ity for new digital

CAPABILITIES SERVICES TECHNICAL ARCHITECTURE

s ervi ces

Identity API Web Access Containers w/ Microservices w / APIs

Identity Access Governance Service
Layer Mgmt

IDENTITY FABRIC
APIs APIs APIs
Identity Identity Access Micro- Micro- Micro-
Access Management Service
Federation Gov. and UBA service service service
Privileged Access Identity APIs APIs APIs
Identity Management Service
Mgmt Provisioning Micro- Micro- Micro-
service service service
Integration a nd

Credentials Privacy &

hybri d s upport

Privileged Access Management Service

Mgmt Consent
Local Data
Adaptive AuthN & more & more Private Cloud Public Cloud
Center

Custom Connectors & Integrations

Lega cy IAM

Lega cy Application Lega cy Application Lega cy Application Lega cy Application Lega cy Application

12 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 Privileged Access Management: Why you need it
Reasons for having a well-thought-out Privileged Access Management in place

RISK MITIGATION SPLIT RESPONSIBILITIES

01 Restricting and minimizing privileged access for efficiently 05 Assign tasks to different groups of users, e.g. different
mitigating security risks. service and support levels.

COMPLIANCE MSP-TO-TENANT RELATIONSHIP

02 Enforcing the least privilege principle and other regulatory 06 Control what MSPs and what tenants are allowed to do
compliance requirements. and restrict MSP access to a minimum.

CYBER ATTACK RESILIENCE WORKFORCE ENABLEMENT

03 Increasing cyber-attack resilience by controlling and 07 Enable your workforce, e.g. service and support desk, to
monitoring privileged access against attackers. efficiently execute granular tasks.

SECURITY AVOIDING HUMAN ERROR

04 Protecting systems against malicious use, including 08 Reduce human error by automating privileged tasks and
internal attacks. restricting tasks to the minimum.

13 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020

 KuppingerCole Analysts AG
Wilhelmstr. 20 - 22
65185 Wiesbaden | GERMANY

P: +49 | 211 - 23 70 77 - 0
F: +49 | 211 - 23 70 77 – 11

E: info@kuppingercole.com
www.kuppingercole.com

14 © 2020 KUPPINGERCOLE ANALYSTS AG 7/6/2020